1. Field of the Invention
This invention pertains in general to computer security, and more specifically to hygiene-based detection of portals exploited by malware.
2. Description of the Related Art
Computer systems are continually threatened by possible attack from malicious computer code (e.g., viruses, worms, and Trojan horses), making computer security a prominent concern. Malicious entities sometimes attack servers that store sensitive or confidential data that can be used to the malicious entity's own advantage. Similarly, other computers, including home computers, must be constantly protected from malicious software that can be transmitted when a user communicates with others via electronic mail, when a user downloads new programs or program updates, and in many other situations. The different options and methods available to malicious entities for attack on a computer are numerous.
One method commonly employed by malicious entities is the use of injection techniques to inject their logic into a legitimate process (e.g., svchost.exe). This legitimate process is then used as a safe haven to introduce malware executable files onto a system, effectively making the process a “malware portal” through which a computer can be infected. Similarly, many of the latest attacks gain control of a system by executing a buffer overflow attack on a legitimate application or by running a malicious script in a legitimate application, such as MICROSOFT® WORD or ADOBE® ACROBAT®. In this manner, the attacker can take control of the application and then use this legitimate application to install malware onto the system.
In these types of malware portal attacks, the attackers can use various different applications through which to introduce malicious code onto a computer. These applications are sometimes forced to perform activities that they would not normally perform in their standard operation. For example, infected programs may be forced to create new executable files (e.g., malicious files) whether or not this is an activity normally performed by the programs. While various programs regularly perform a collection of different activities, it is not known which activities are legitimate for which programs.
Therefore, there is a need in the art for a solution that determines the legitimacy of different activities for different applications to identify whether a given application has been compromised by malware.